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This is an appeal from the non-final rejection of March 13, 2008, in which all pending 
claims 24-44 were rejected. 



1 



Docket JP920030270US1 



Appl.No.: 10/735,509 
Filed: 12/12/2003 



PARTY IN INTEREST 

The assignee, International Business Machines Corporation, is the real party in 
interest. 

RELATED APPEALS AND INTERFERENCES 

This is the first appeal in the present patent application. There are no related appeals or 
interferences known to the appellant or its legal representative. 

STATUS OF CLAIMS 

Claims pending: 

Independent claims 24, 31, and 38 and dependent claims 25-30, 32-37, and 39-44 
stood pending in the application at the time of the Office action herein appealed, (the 
non-final Office action of March 13, 2008. 

Claims canceled herein: 

In this Appeal Brief, Appellant has canceled claims 3 1-44 from further consideration 
in this application. Appellant is not conceding that the subject matter encompassed by claims 
31-44 prior to this Appeal Brief is not patentable over the art cited by the Examiner. Claims 
31-44 were canceled in this Appeal Brief solely to facilitate expeditious prosecution of the 
application. Appellant respectfully reserves the right to pursue the claims, including the 
subject matter encompassed by 31-44, as presented prior to this Appeal Brief and additional 
claims in one or more continuing applications. 

Claims previously canceled: 

Claims 1-23 were previously canceled. 

Claims rejected: 

All the pending claims stand rejected in the present, nonfinal Office action. 
Claims appealed: 

Claim 24 is appealed and argued herein. 
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SUMMARY OF AMENDMENTS 

Amendments are submitted herein to amend claims 24 and 29 to change "resources" to 
"files." An amendment is also submitted herein to correct the spelling of "hash" in claim 24, 
next-to-last word in step c). No new matter is added, since the original application provides 
support for the amendments, as described in "Summary of Claimed Subject Matter" herein 
below. 

The present application, filed December 12, 2003, presented original claims 1-23. 

A first, nonfinal Office action of April 3, 2007, rejected all claims under 35 U.S.C. 
103(a). In order to overcome the rejections, Appellant responsively canceled claims 1-23 and 
submitted new claims 24-44. 

A second, final Office action of October 17, 2007 rejected all claims. Appellant filed a 
Request for Continued Examination, accompanied by an amendment which amended 
independent claims 24, 31 and 38. 

The present, nonfinal Office action of March 13, 2008 rejects all claims. 

In this reply, Appellant has canceled claims 3 1-44 from further consideration in this 
application. Appellant is not conceding that the subject matter encompassed by claims 31-44 
prior to this reply is not patentable over the art cited by the Examiner. Claims 3 1-44 were 
canceled in this reply solely to facilitate expeditious prosecution of the application. Appellant 
respectfully reserves the right to pursue the claims, including the subject matter encompassed 
by 31-44, as presented prior to this reply and additional claims in one or more continuing 
applications. 

Appellant appealed the rejection in a Notice of Appeal filed July 1 1, 2008. 
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SUMMARY OF CLAIMED SUBJECT MATTER 

The present application, as published, provides context for what is claimed, as follows: 

[0039] In a local area network environment, it is common for each personal computer 
70 to have a similar set of installed computer programs, and for some of the data files 
stored within the LAN to be replicated across several computers in the network. 
Therefore, periodic executions of the antivirus software typically involve scanning 
identical data files and executable files on many different computers. The periodic 
virus scans involve scanning newly created and newly installed files, but also 
repeating virus scans of files which were already in existence when the last virus scan 
was performed. The pre-existing files may not have changed since the last scan, but 
repeated scanning of pre-existing files has previously been considered essential for 
protection because timestamps on files cannot be relied on as evidence that the files 
have not changed. 

[0040] The inventors of the present invention have identified these issues as problems 
requiring a solution. Embodiments of the invention described below use a comparison 
of hash values computed from the bit patterns representing stored files to identify 
which files have changed since the last virus scan. The embodiment avoids full virus 
scanning of files which have not changed since the last scan. Another feature, or 
alternative embodiment, of the invention also uses a comparison of hash values to 
identify replicas of files to avoid repetitious virus scanning of multiple replicas. 
Further embodiments are described thereafter. 



[0097] A further embodiment of the invention uses statistical observation of the 
pattern of creation of new hashes to identify sudden changes within a network. For 
example, if newly computed hash values are compared with stored hash values and a 
large number of copies of a specific hash value MDi can be seen to have changed, 
this implies that the corresponding copies of the resource represented by hash value 
MDi have also changed. This could mean that a group of users are upgrading from 
one file version to another (for example if MDi consistently changes to MD 2 ) or that a 
virus is spreading through the system. The latter is most likely if a large number of 
copies of MDi have remained unchanged for a long period and are then suddenly 
replaced by a large number of different hash values—indicating the probable spread of 
a polymorphic virus. The comparison of hash values can be used once again to 
determine which resources require a virus scan and which do not. 

Claim 24 

Claim 24 describes a method for computing first hash values derived from and 
representing a plurality of replicas of a file, wherein the replicas are stored on respective data 
processing systems within a network. The claim has steps as follows: 

Step 1 : storing the computed first hash values; 

Step 2: computing current hash values for the replicas of the file; 
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Step 3: comparing the current and first hash values in order to identify whether all the 
hash values match, wherein nonmatching first and current hash values for a respective one of 
the replicas indicates the respective one of the replica has changed since the computing of the 
first hash value; 

Step 4: detecting that a vulnerability exists responsive to the hash value comparison 
indicating more than a predetermined number of changed replicas of the file, and that no 
vulnerability exists responsive to the hash value comparison indicating less than or equal to 
the predetermined number of changed replicas, wherein the predetermined number is at least 
one; and 

Step 5: presenting a message for a user indicating a vulnerability, wherein the 
presenting is responsive to the predetermined number being exceeded. 

The specification of the present application provides an exemplary embodiment of the 
invention and describes the method of claim 24 in terms of that embodiment. Specifically, 
regarding support for claim 24, see original published application, paragraphs 0048, 005 1 
(computing first hash values derived from and representing a plurality of replicas of a file, 
wherein the replicas are stored on respective data processing systems within a network); 
paragraphs 0048, 0051 (storing the computed first hash values); paragraphs 0048, 0051 
(computing current hash values for the replicas of the file); paragraphs 0048, 0051 (comparing 
the current and first hash values in order to identify whether all the hash values match, 
wherein nonmatching first and current hash values for a respective one of the replicas 
indicates the respective one of the replica has changed since the computing of the first hash 
value); paragraphs 0095, 0097 (detecting that a vulnerability exists responsive to the hash 
value comparison indicating more than a predetermined number of changed replicas of the 
file, and that no vulnerability exists responsive to the hash value comparison indicating less 
than or equal to the predetermined number of changed replicas, wherein the predetermined 
number is at least one); paragraph 0095 (presenting a message to a user indicating a 
vulnerability); and paragraphs 097 (the presenting is responsive to the predetermined number 
being exceeded). 
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GROUNDS OF REJECTION 
TO BE REVIEWED ON APPEAL 




Claims 24-29 stand rejected under 35 U.S.C. 103(a) as being unpatentable over 
Radatti (US 7,143,1 13) in view of Szor (US 200510022018). 



Independent claim 24 stands rejected under 35 U.S.C. 103(a) as being unpatentable 
over Radatti in view of Szor. Appellant respectfully submits that the rejection is improper. 



Examiner argues that Radatti discloses computing first hash values derived from and 
representing a plurality of replicas of a resource, wherein the replicas are stored on respective 
data processing systems within a network [Radatti, column 3 lines 77-34, the baseline is 
formed from the master system, all of the subsequent systems are replicas of the master 
system; therefore hash values derived from a master system represent a plurality of replicas]; 

a) storing the computed first hash values [Radatti, column 3 lines 44-48, the secure 
system data is retained in a storage area, either internally or externally]; 

b) computing current hash values for the replicas of the resource [Radatti, column 5 
lines 28-34, in the comparison cycle, files are taken one at a time and hashed (MD5); 

c) comparing the current and first hash values in order to identify whether all the hash 
values match, wherein nonmatching first and current hash values for a respective one of the 
replicas indicates the respective one of the replica has changed since the computing of the first 
hash value [Radatti, column 5 lines 33-58, the recent hash is compared with the old hash]; 

d) detecting that a vulnerability exists responsive to the hash value comparison 
indicating more than a predetermined number of changed replicas of the resource, and that no 
vulnerability exists responsive to the hash value comparison indicating less than or equal to 



ARGUMENTS 



Rejection Under 35 USC 103(a) 35 U.S.C. 103(a) over Radatti in view of Szo r. 



Claim 24 



Examiner's Position 



Claim 24: 
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the predetermined number of changed replicas [Radatti, column 7 lines 54-58, if an 
unauthorized user changes the contents, the files modified by the virus will differ]; and 

e) presenting a message for a user indicating a vulnerability, wherein the presenting is 
responsive to the predetermined number being exceeded [Radatti, column 7 lines 24-28, 
reporting may be used; as is well known in the art it is inherent that the reporting will take 
place after detection]. 

Examiner acknowledges Radatti does not disclose "the predetermined number is at 
least one," but argues that Szor is similar to Radatti in that Szor provides a method for 
network intrusion detection. Examiner observes that Szor discloses a local analysis center 
(LAC) that receives notification packets about malicious code [Szor, paragraphs 102-104], 
and that the LAC checks to see if an attack threshold has been exceeded which is incremented 
by one for each notification packet [Szor, paragraphs 108-109], and then appropriate action is 
taken [Szor, paragraph 113]. Based on this, Examiner argues that it would have been obvious 
to one of ordinary skill in the art at the time of invention "to modify the method of Radatti to 
include the functionality of the LAC of Szor in order to determine a minimum level of 
suspicious activity," citing Szor, paragraph 108. 
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A ppellant's Rebuttal 

Claim 24: 

Appellant respectfully submits that amended claim 24 is patentably distinct because 
the references relied upon do not teach or suggest all of what the claims recite. MPEP 2143.03 
("All words in a claim must be considered in judging the patentability of that claim against the 
prior art," citing In re Wilson, 424 F.2d 1382, 1385, 165 USPQ 494, 496 (CCPA 1970)). 
Further, no rational underpinning has been stated for modifying the references such that all of 
what the claims recite would have been obvious to one of ordinary skill in the art at the time 
of invention. MPEP 2143.01 III (citing KSR International Co. v. Teleflex Inc., USPQ2d 1385, 
1396 (U.S.S.C. 2007)). 

Claim 24 indicates first hash values, derived from and representing a plurality of 
replicas of a file, are computed and stored. Current hash values for the replicas of the file are 
computed. Further, claim 24 goes on to state that the current and first hash values are 
compared "in order to identify whether all the hash values match." Still further, independent 
claim 24 recites "detecting that a vulnerability exists responsive to the hash value comparison 
indicating more than a predetermined number of changed replicas of the file, and that no 
vulnerability exists responsive to the hash value comparison indicating less than or equal to 
the predetermined number of changed replicas, wherein the predetermined number is at least 
one." In other words, more than one file must be changed in order to indicate a vulnerability. 

Even aside from the amendments submitted herein, the cited references do not teach or 
suggest the claimed combination of features. In particular, the primary reference, Radatti, 
actually teaches away from what is claimed in at least one respect. That is, Radatti teaches 
that any difference in hash value comparison indicates a vulnerability, whereas claim 24 
makes it clear that a vulnerability is indicated only if there is more than one changed replica 
(as indicated by differences in first and current hash values of the respective replicas). For 
example, Radatti, col. 7, lines 47-58, teaches that the system responds to even a single change 
in a file, by stating that ". . . any variation from the secure system state will be detected. The 
nature of the file will not matter insofar as any file that modifies the system and/or its files 
will be detected" (emphasis added). This is different than detecting a vulnerability responsive 
only to a plurality of changes in a replica (e.g., a file), i.e., a "detecting that a vulnerability 

8 



Docket JP920030270US1 



Appl.No.: 10/735,509 
Filed: 12/12/2003 



exists responsive to the hash value comparison indicating more than a predetermined number 
of changed replicas of the file, and that no vulnerability exists responsive to the hash value 
comparison indicating less than or equal to the predetermined number of changed replicas, 
wherein the predetermined number is at least one," as claimed in the present case. 

The rejection relies upon Szor for the teaching that "the predetermined number is at 
least one" in analysis done by a local analysis center ("LAC"). Szor teaches monitoring 
activity of malicious fileless code. Szor, paragraph 37. This is done in order to detect the code 
before signatures have been developed for it. Szor, paragraph 10. An example is monitoring 
calls to a critical "send" function that is provided by an operating system. Szor, paragraphs 
38-39. Szor teaches that when such a send call occurs and it is determined by checking 
operation 204 to not be an attack, or at least a suspected attack, a behavior blocking 
application 1 26 merely continues to check for attacks at 204. Szor, FIG. 2 and paragraph 36. 

In the teaching of Szor, counting may arise once checking operation 204 determines 
that a send call is at least a suspected attack, in which case application 1 26 continues to a next 
checking operation 206 and ultimately may continue to an operation 222 in which malicious 
fileless code, or a snippet of the fileless code, is sent to the LAC in a packet. Szor, FIG. 2 and 
paragraph 101. The LAC may determine conclusively at operation 408 that a single instance of 
certain received code is an attack. Szor, FIG. 4 and paragraph 1 10. However, the LAC might 
not determine this conclusively based merely upon a single instance of certain received code, 
in which case the LAC must receive some number of multiple instances of such code (which 
indicates multiple instances of activity, i.e., a send call, due to the code) before the LAC 
concludes the code's activity represents an attack. Szor, FIG. 4 and paragraph 111. 

The "predetermined number" recited by the claim is a predetermined number of 
changed replicas of a resource (or else, if the amendments submitted herein are entered, 
"replicas of a file"). As indicated in the above discussion, Szor does not teach that in analysis 
done by the LAC, the LAC finds that the predetermined number of changed replicas of a 
resource is at least one. Thus the rejection relies not simply upon modifying the teachings of 
Radatti "to include the functionality of the LAC of Szor." The rejection also relies on 
modifying the teaching of Szor regarding the functionality of the LAC, such that in analysis 
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done by the LAC, the LAC finds that the predetermined number of changed replicas of a 
resource is at least one. 

The rejection must state a rational underpinning for the modification of both the 
teaching of Radatti and Szor. MPEP 2143.01 III (citing KSR International Co. v. Teleflex Inc., 
USPQ2d 1385, 1396 (U.S.S.C. 2007)). This has not been done. That is, the rejection modifies 
determining a minimum suspicious level ' by detecting even merely one change, as taught by 
Radatti, to adopt Szor's teaching of determining a minimum suspicious level by detecting 
more than one instance. The stated rationale for the modification is "in order to determine a 
minimum suspicious level of activity." Appellant respectfully submits that this is mere 
circular logic and not a rational underpinning for the modification. 

Further, the rejection modifies the teaching of Szor. The need to modify Szor in order 
to apply it to the claim of the present invention arises at least partly because the problem 
addressed by Szor is not precisely the same as those addressed in Radatti and in the present 
invention. This tends to indicate, in and of itself, that the propounded combination and 
modification should be subject to more scrutiny than if the problems are precisely the same. 
See MPEP 2143.01 I (citing Ruiz v. A.B. Chance Co., 69 USPQ2d 1686, 1690 (Fed. Cir. 
2004), in which motivation was found sufficient at least partly because the references dealt 
with precisely the same problem). 

Szor teaches a host computer monitoring calls to a critical function of an operation 
system and responsively sending fileless code to an LAC if the code called that function and is 
deemed suspicious by an attack checking operation 204, and then the LAC counting instances 
of received suspicious fileless code (or portions thereof), as explained above. Contrast this to 
"detecting that a vulnerability exists responsive to the hash value comparison indicating more 
than a predetermined number of changed replicas of the resource" [or "file," if the amendment 
submitted herein is entered], where hash values represent "replicas . . . stored on respective 
data processing systems," as claimed, and as the rejection contends that Radatti teaches. 

In order to modify the LAC of Szor so that the LAC finds that a predetermined number 
of changed replicas of a resource is at least one, requires that the LAC would have to be 
modified to also compare instances of received suspicious fileless code to see if they are 
1 The claim in the present application states this as "detecting that a vulnerability exists." 
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changed versions of an original instance, which would also require that the LAC receive 
information to enable it to do this. There is not suggestion of such modification in the 
references and no rationale is given in the rejection for such a modification. Appellant 
respectfully submits that the rejection is, therefore, improper for this reason, as well. 

If the amendments submitted herein are entered, Appellant respectfully submits that 
the rejection is all the more certainly improper, since the amended claims indicate that the 
changed replicas of "resources" are files, not fileless code, as taught by Szor. 

Further, the proposed modification cannot change the principle of operation of a 
reference. MPEP 2143.01 VI (citing In re Ratti, 123 USPQ 349 (CCPA 1959). But the 
principle of operation of LAC in Szor is substantially different than that of Radatti, as 
explained above. Appellant submits that it would impermissibly change the principle of 
operation of Szor to modify the LAC to also compare instances of received suspicious fileless 
code to see if they are changed versions of an original instance, and to modify the host so that 
the information sent to the LAC enables the LAC to do this. Appellant respectfully submits 
that the rejection is, therefore, improper for this reason, as well. 



For the above reasons, Appellant contends the invention defined in claim 24 is 
patentably distinct. Appellant requests that the Board grant allowance and prompt passage of 
the application to issuance. 



Anthony V.S. England 
Registration No. 35,129 
Attorney of Record for 
IBM Corporation 
Telephone: 512-477-7165 
a@aengland.com 



Attachments: Claims Appendix, Evidence Appendix, Related Proceedings Appendix 



REQUEST FOR ACTION 



Respectfully submitted, 




11 



Appl.No. 09/892,147 
Filing Date: 06/26/2001 



JP920000426US1 



APPENDIX "AA" CLAIMS 

1-23. (canceled) 

24. (currently amended) A method comprising the steps of: 

computing first hash values derived from and representing a plurality of replicas of a 
rcsourcc file, wherein the replicas are stored on respective data processing systems within a 
network; 

a) storing the computed first hash values; 

b) computing current hash values for the replicas of the rcsourcc file; 

c) comparing the current and first hash values in order to identify whether all the hash 
values match, wherein nonmatching first and current hash values for a respective one of the 
replicas indicates the respective one of the replica has changed since the computing of the first 
hash value; 

d) detecting that a vulnerability exists responsive to the hash value comparison 
indicating more than a predetermined number of changed replicas of the rcsourcc file, and 
that no vulnerability exists responsive to the hash value comparison indicating less than or 
equal to the predetermined number of changed replicas, wherein the predetermined number is 
at least one; and 

e) presenting a message for a user indicating a vulnerability, wherein the presenting is 
responsive to the predetermined number being exceeded. 

25. (previously presented) The method of claim 24, wherein steps a), b), c), and d) are 
performed at a first data processing system within the network. 

26. (previously presented) The method of claim 24, wherein step b) is performed at 
each replica's respective data processing system, the method further comprising sending the 
computed hash values to a first data processing system. 

27. (previously presented) The method of claim 24, wherein the vulnerability includes 
a vulnerability to a computer virus. 
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APPENDIX "AA" CLAIMS 

28. (previously presented) The method of claim 24, wherein the vulnerability includes 
a vulnerability to computer hacking. 

29. (currently amended) The method of claim 24 further comprising: 

classifying as vulnerable the data processing systems storing the replicas, wherein the 
classifying is responsive to the predetermined number of changed replicas of the rcsourcc file 
being exceeded. 

30. (previously presented) The method of claim 24, the steps further comprising: 
sending a notification of the vulnerability to each data processing system storing one 

of the replicas; 

selecting a sequence of vulnerability-resolution instructions relevant to the 
vulnerability; and 

sending the selected instructions to each of the data processing systems storing one of 
the replicas. 

31-44. (canceled) 
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APPENDIX "BB" EVIDENCE 

NONE. 
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APPENDIX "CC" RELATED PROCEEDINGS 

NONE. 
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